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REMARKS 

The Examiner has rejected Claims 1-3, 5-9, 12, 14-19, 21-25, 28, 30-35, 37-41, 
44, 46-5 1, 53-57, 60, 62-67, 69-73, 76, 78-83, 85-89, 92, and 94-98 under 35 U.3.C. 1 12, 
second paragraph, as being indefinite for failing to particularly point out and distinctly 
claim the subject matter which applicant regards as the invention. In response, applicant 
asserts that the Examiner's rejections are avoided by virtue of the amendments made to at 
least a portion of the foregoing claims. In addition, applicant respectfully points out that 
Claims 7, 19, 23, 39, 51, 55, 71, 83 and 87 do not recite "said resource data," as the 
Examiner notes, and therefore the Examiner's rejection with respect to such claims is 
deemed inapplicable. 

The Examiner has also rejected Claims 1-3, 5-9, 1 1-12, 14-19, 21-25, 27-28, and 
30-32 under 35 U.S.C. 101 as being directed toward non-statutory subject matter. 
Applicant has clarified independent Claims 1 and 17 to include a computer program 
product "in a computer storage medium" in order to avoid such rejection, as suggested by 
the Examiner, 

In addition, the Examiner has rejected Claims 1-3, 5, 9, 12, 14, 17-19, 21, 25, 28, 
30, 33-35, 37, 41, 44, 46, 49-51, 53, 57, 60, 62, 65-67, 69, 73, 76, 78, 81-83, 85, 89, 92, 
94, and 98 under 35 U.S.C. 103(a) as being unpatentable over Cozza (U.S. Patent No. 
5,649,095) in view of Hypponen et al. (U.S. Patent No. 6,577,920). Applicant 
respectfully disagrees with such rejection, especially in view of the amendments made 
hereinabove to the independent claims. Specifically, applicant has amended the 
independent claims to at least substantially include the subject matter of former 
dependent Claim 97. 

With respect to the independent claims, the Examiner has relied on the following 
excerpts from the Cozza and Hypponen references to make a prior art showing of 
applicant's claimed technique "wherein said generated fingerprint data includes a number 
of program resource items specified within said resource data of said packed computer 
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file" (as amended, see this or similar, but not necessarily identical language in the 
independent claims). 



^According to a second aspect of the present invention there is 
provided a method of screening a. software file for viral 
infection, the method comprising: 

defining a first database of known macro virus signatures, a 
second database of known and certified commercial macro 
signatures, and a third database of known and certified local 
macro signatures;. 

scanning said file to determine whether or not the file contains 
a macro; and, if the file contains a macro 
determining a signature for the macro and screening that 
signature against the signatures contained in said databases; 
and" {Hypponen, Col. 3, lines 14-25) 

"A third example involves the nature of multi-fork file storage 
on computers such as the Apple Macintosh. Typically one> fork of a 
file, for example the resource fork on Macintosh computers, may 
contain a kind of small database which is used to contain many 
kinds of data, including application code, icons, preferences, 
strings, templates, and other such items. A change in size to 
3uch a fork may not indicate a change to application code, but 
rather a change to something else such as user preferences. It is 
therefore necessary to handle this Complexity in a proper manner 
so as to optimize speed enhancement without compromising scan 
effectiveness, v (Cozza, Col. 2, paragraph 7) 

Applicant respectfully asserts that the excerpt from Hypponen relied upon by the 
Examiner merely discloses "scanning said file to determine whether or not the file 
contains a macro" and "determining a signature for the macro." In addition, the excerpt 
from Cozza simply discloses that "one fork of a file . . > may contain a kind of small 
database which is used to contain many kinds of data, including application code, icons, 
preferences, strings, templates, and other such items " However, scanning a file and 
determining the signature of a macro, coupled with a disclosure that a file may contain 
many kinds of data, simply fails to suggest a technique "wherein said generated 
fingerprint data includes a number of program resource items specifi c within sai^ 
resource data of said packed computer file" (emphasis added), as claimed by applicant. 



In addition, in the office action mailed 03/14/2006, the Examiner argued that 
"Hypponen taught that file signatures should be used to detect viruses (see Hypponen 
Col. 3 Lines 14-25) and Cozza disclosed the files containing resource items (i.e. 
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application code, icons, preferences, strings, templates) specified within resource data 
(i,e, resource fork) (See Cozza Col. 2 Paragraph 7) " Applicant respectfully asserts that 
Hypponen specifically discloses "determining a signature for the macro and screening 
that signature against the signatures contained in said databases " (emphasis added). 
Additionally, Cozza specifically discloses that the Resource fork . . . may contain a kind 
of small database which is used to contain many lands of data, including application 
code, icons, preferences, strings, templates, and other such items." Clearly, determining 
a macro signature in a file, combined with the disclosure of a resource fork containing 
many kinds of data, fails to even suggest a technique "wherein said generated fingerprint 
data includes a number of program resource items specified within said resource data of 
said packed computer file" (emphasis added), as claimed by applicant. 

In the Office Action mailed 09/01/2006, the Examiner responded to applicant's 
arguments and argued that "[although Hypponen does pertain to "macros," more 
generally, Hypponen pertains to comparison of two checksums for determining whether a 
set of data contains malicious data, and it would have been readily apparent to one of 
ordinary skill in the art at the time of invention that comparison between checksums 
would be faster than comparison of the entire set of data the checksums were derived 
from." 

Applicant disagrees and respectfully asserts that "comparison of two checksums 
for determining whether a set of data contains malicious data," as noted by the Examiner, 
fails to even suggest "fingerprint data that includes a number of program res ource items 
specified within said generated fingerprint data" (emphasis added), as applicant claims. 
Again, applicant respectfully asserts that Hypponen simply teaches that "\'i]f one or more 
macros is identified in the file, a checksum signature is determined for the/or each 
identified macro" (see Col. 5, lines 29-31 - emphasis added). Hypponen further teaches 
that "[assuming that a single macro is identified in the file, the macro virus 
controller. „ scans the first database. . .to determine whether or not the corresponding 
signature is present in that database" (see Col. 5, lines 32-35 - emphasis added). 
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Clearly, disclosing that a signature is determined if a macro is identified in a file, 
and then determining if the corresponding signature is present in a database, fails to 
suggest a technique "wherein said generated fingerprint data includes a number of 
program resource items specified within said resource data of said packed computer file 5 ' 
(emphasis added), as claimed by applicant 

Further, with respect to the independent claims, the Examiner has relied on Col. 3 
from Cozza and CoL 3, lines 14-25 from Hypponen to make a prior art showing of 
applicant's claimed technique "wherein said generated fingerprint data includes a flag 
indicating which data is included within said generated fingerprint data" (as amended, see 
this or similar, but not necessarily identical language in the independent claims). 

Applicant respectfully asserts that the excerpt from Cozza relied on by the 
Examiner merely discloses two sets of flags, for the first "set of flags the system utilizes a 
bit field large enough so that there is one bit corresponding to every known Macintosh 
virus" (Cozza, CoL 5, lines 29-32) and that the "second set of flags resides in the cache 
information" (Cozza, CoK 5, line 40). In addition, applicant notes that the second set of 
flags is used to indicate "that no virus was found previously in the last scan of the file" or 
''which virus was found first in the file." (Cozza, CoL 5, lines 42-47), Applicant also 
respectfully asserts that Hypponen teaches "determining a signature for the macro and 
screening that signature against the signatures contained in said databases " (emphasis 
added). 

However, Cozza' s disclosure of flags corresponding to every known virus and 
flags in the cache indicating previous scan results, when taken in combination with 
Hypponen's disclosure of determining macro signatures and checking them against 
signatures in a database, simply fails to suggest a technique "wherein said generated 
fingerprint data includes a flag indicating which data is included w ithin said generated 
fingerprint data " (emphasis added), as claimed by applicant. There simply is no 
disclosure in the excerpts from Cozza or Hypponen of 'fingerprint data [that] includes a 
flag 3 " as claimed by applicant 
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In addition, in the office action mailed 03/14/2006, the Examiner argued that 
"[c]olumn 3 of Cozza clearly indicated that a set of flags was used to indicate the result 
(which viruses were found in the file) of the scan." Further, the Examiner argued that 
"[ijn combination, the signature of the file is used to represent the file during 
comparison" and "[t]herefore, it is clear that in combination the flags represent which 
viruses were identified in the signature." However, applicant respectfully asserts that the 
disclosure of flags representing which viruses were identified in the signature fails to 
even suggest a technique "wherein said generated fingerprint data includes a flag 
indicating which data is included within said generated fingerprint data" (emphasis 
added), as claimed by applicant* 

In the Office Action mailed 09/0 1/2006, the Examiner argues that 'the 
[E]xaminer has previously addressed this argument and is again not persuaded." Again, 
applicant respectfully asserts that Cozza 1 s disclosure of flags corresponding to every 
known virus and flags in the cache indicating previous scan results, when taken in 
combination with Hypponen's disclosure on determining macro signatures and checking 
them against signatures in a database* simply fails to suggest a technique "wherein said 
generated fingerprint data includes a flag indicating which data is included within said 
generated fingerprint data " (emphasis added), as claimed by applicant. 

Still yet, with respect to the independent claims, the Examiner has relied on the 
following excerpt from the Cozza reference to make a prior art showing of applicant's 
claimed technique "wherein said generated fingerprint data includes a location within 
said resource data of said packed computer file of an entry specifying a program resource 
item having a largest size" (as amended, see this or similar, but not necessarily identical 
language in the independent claims), 

"...size when infecting. If a file's caclie information is not 
marked as having been previously infected by some virus which 
changes a file's resource fork size, then tha file's current 
resource fork size is compared with the resource fork size stored 
in the file's cache information in step 66 to see if they are 
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within soma predetermined tolerance. The tolerance in this step 
is determined based upon the size of viruses infecting a file 1 a 
resource fork on the Apple Macintosh computer, upon the type of 
file being infected, and upon the typical size changes that might 
occur in Macintosh applications and other executable files due to 
minor changes by which the file might modify itself. This 
tolerance may vary from one file to another depending on file 
type and other factors. If these sizes are not within the 
predetermined tolerance, then flags are set for all viruses that 
might cause this file's resource fork to change size when 
infecting it in step 68." (Cozza, Col. 6, lines 29-45 - emphasis 
added) 

Applicant asserts that the excerpt from Cozza relied upon by the Examiner merely 
discloses comparing tc the file's current resource fork size - . . with the resource fork size 
stored in the file's cache information in step 66 to see if they are within some 
predetermined tolerance " (emphasis added). Clearly, checking a current or stored 
resource fork size simply fails to even suggest a technique "wherein said generated 
fingerprint data includes a location within said resource data of said packed computer file 
of an entry specifying a program resource item having a largest size" (emphasis added), 
as claimed by applicant. The excerpt from Cozza simply fails to disclose "a program 
resource item having a largest size/' as claimed by applicant. 

In the Office Action mailed 09/01/2006, the Examiner argues that "[i]t was 
obvious that in the combination, a program resource having a largest size was included in 
the fingerprint, as resources were included and it was inherent that one of the included 
resources was the largest of the included resources " 

In response, applicant respectfully disagrees and asserts that the fact that a certain 
result or characteristic may occur or be present in the prior art is not sufficient to establish 
the inherency of that result or characteristic. In re Rijckaert, 9 F.3d 1531, 1534, 28 
USPQ2d 1955, 1957 (Fed. Cir. 1993); In re Oelrich, 666 F.2d 578, 581-82, 212 USPQ 
323, 326 (CCPA 1981). "To establish inherency, the extrinsic evidence 'must make clear 
that the missing descriptive matter is necessarily present in the thing described in the 
reference, and that it would be so recognized by persons of ordinary skill. Inherency, 
however, may not be established by probabilities or possibilities. The mere fact that a 
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certain thing may result from a given set of circumstances is not sufficient 1 " In re 
Robertson, 169 F,3d 743, 745, 49 USPQ2d 1949, 1950-51 (Fed. Cir. 1999). 

Further, applicant respectfully asserts that even if "a program resource having a 
largest size was included in the fingerprint " as alleged by the Examiner, such does not 
even suggest any sort of location, let alone applicant's claimed "generated fingerprint 
data [that] includes a location within said resource data of said packed computer file_ofan 
entry specifying a program resource item having a largest size" (emphasis added), as 
claimed. 

To establish a prima facie case of obviousness, three basic criteria must be met 
First, there must be some suggestion or motivation, either in the references themselves or 
in the knowledge generally available to one of ordinary skill in the art, to modify the 
reference or to combine reference teachings. Second, there must be a reasonable 
expectation of success. Finally, the prior art reference (or references when combined) 
must teach or suggest all the claim limitations. The teaching or suggestion to make the 
claimed combination and the reasonable expectation of success must both be found in the 
prior art and not based on applicant's disclosure. In re VaectyAl F.2d 488, 20 USPQ2d 
1438 (Fed.Cir. 1991). 

Applicant respectfully asserts that at least the third element of the prima facie 
case of obviousness has not been met, since the prior art references, when combined, fail 
to teach or suggest all of the claim limitations, as noted above. Nevertheless, despite 
such paramount deficiencies and in the spirit of expediting the prosecution of the present 
application, applicant has incorporated the subject matter of former Claim 97 into the 
independent claims. 

With respect to the subject matter of former Claim 97 (now at least substantially 
incorporated into the independent claims), as rejected under 35 U.S,C. 103(a) as being 
unpatentable over Cozza, in view of Hypponen, in further view of Pietrek ("Peering 
Inside the PE: A Tour of Win 32 Portable Executable"), the Examiner has relied on the 
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rejection of Claim 1, as well as> Figure 5 and Table 13 from Pietrek to make a prior art 
showing of applicant's claimed technique "wherein said generated fingerprint data 
includes a checksum value calculated in dependence upon: a number of program 
resource items specified beneath each node within hierarchically arranged resource data 
of said packed computer file; string names associated with program resource items within 
said resource data of said packed computer file; and sizes of program resource items 
within said resource data of said packed computer file," 

Applicant respectfully asserts that the Examiner's rejection of Claim 1 does not 
specifically address applicant's claimed limitations. In addition, applicant respectfully 
asserts that the only checksum relied on by the Examiner with respect to Claim 1 relates 
to a checksum of a macro, which clearly does not even suggest "a checksum value 
calculated in dependence upon: a number of program resource items specified beneath 
each node within hierarchically arranged resource data of said packed computer file; 
string names associated with program resource items within said resource data of said 
packed computer file; and sizes of program resource items within said resource data of 
said packed computer file," as applicant claims. 

Furthermore, applicant respectfully asserts that Figure 5 and Table 13 from 
Pietrek merely show a resource directory hierarchy example and the resources hierarchy 
for CLOCK.EXE. However, the table and figure relied upon by the Examiner in no way 
suggest ' 'fingerprint data [that] includes a checksum value calculated in dependence 
upon : a number of program resource items specified beneath each node within 
hierarchically arranged resource data of said packed computer file; string names 
associated with program resource items within said resource data of said packed 
computer file; and sizes of program resource items within said resource data of said 
packed computer file" (emphasis added), as claimed by applicant. 

Again, applicant respectfully asserts that at least the third element of the prima 
facie case of obviousness has not been met, since the prior art references, when 
combined, fail to teach or suggest all of the claim limitations, as noted above, Thus 5 a 
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notice of allowance or specific prior art showing of each of the foregoing claim elements, 
in combination with the remaining claimed features, is respectfully requested. 

Applicant further notes that the prior art is also deficient with respect to the 
dependent claims. For example, with respect to Claim 3 et al., the Examiner has relied on 
the following excerpt from the Cozza reference to make a prior art showing of applicant's 
claimed technique 'Vherein said resource data of said packed computer file comparing 
logic is operable to compare said resource data with characteristics of a plurality of 
known computer programs to detect if said packed computer program contains one of 
said plurality of known computer programs" (as amended, see this or similar, but not 
necessarily identical language in the independent claims). 

"-resource map, and the size of the virusee that can infect a 
Macintosh resource fork. l£ it is then necessary to scan the 
resource fork foi resource fork viruses, this is done in step 90. 
However, scanning is only required those viruses which infect 
resource forks and for which flags have been set in the steps 
above/ (Cozza, Col. 7, lines 35-40 - emphasis added) 

Applicant respectfully asserts that the excerpt from Cozza relied upon by the 
Examiner merely teaches that "[i]f it is then necessary to scan the resource fork for 
resource fork viruses," then "scanning is only required those viruses which infect 
resource forks and for which flags have been set." However, Cozza* s disclosure to scan 
the resource fork for only those viruses which infect resource forks fails to even suggest a 
technique "wherein said resource data comparing logic is operable to compare said 
resource data of said packed computer file with c^ aractftri st ies of a plurality of known 
computer programs to detect if said packed computer program contains one of said 
plurality of known computer programs" (emphasis added), as claimed by applicant. 

In the Office Action mailed 09/01/2006, the Examiner argues that "[t]he scanning 
of the resource fork for resource fork viruses does fall within the scope of claim recitation 
as in order to scan one set of data for second set of data, the characteristics of the second 
set must be compared with the first." Applicant respectfully disagrees and asserts that 
Cora's disclosure to scan the resource fork for only those viruses which infect 
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resource forks fails to even suggest a technique '"wherein said resource data comparing 
logic is operable to compare said resource data of said packed computer file with 
characteristics of a plurality of known computer programs to detect if said packed 
computer program contains one of said plurality of known computer programs" 
(emphasis added) 3 as claimed by applicant. 

Moreover, with respect to Claim 14 et al., the Examiner has relied on the 
following excerpt from the Hypponen reference to make a prior art showing of 
applicant's claimed technique fit wherein said checksum value is rotated between each 
item being added into said checksum." 

*For the purposes of this example, the signa-ture used is a 
checksum derived using a suitable cheokeum. calculation algorithm, 
such as the US Department of Defence Secure Hash Algorithm (SHA) 
or the older CRC 32 algorithm." (Hypponen, Col. 4, lines 5 6-59 - 
emphasis added) 

Applicant asserts that the excerpt from Hypponen relied upon by the Examiner 
merely teaches that "the signature used is a checksum derived using a suitable checksum 
calculation algorithm, such as ... SHA." However, applicant respectfully asserts that the 
SHA algorithm rotates intermediate values used in the calculation of the SHA checksum 
which simply fails to meet a technique "wherein said checksum v alue is rotated between 
each item being added into said checksum " (emphasis added), as claimed by applicant. 

In the Office Action mailed 09/01/2006, the Examiner argues that t( [i]f the 
checksum is rotated after each operation, as is SHA, then it stands that 'between each 
item' the checksum was rotated " Applicant respectfully disagrees and asserts that 
simply rotating between operations, as the Examiner notes, does not meet applicant's 
claimed "checksum value is rotated between each item bei nft added into said 
checksum" (emphasis added). 

In addition, with respect to Claim 12 et aL> the Examiner has rejected the same 
under 35 U.S.C. 103(a) as being unpatentable over Cozza in view of Hypponen, in further 
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view of Hodges et al. (U.S, Patent No. 6,269,456). Specifically, the Examiner has relied 
on the following exceipts from the Hodges reference to make a prior art showing of 
applicant's claimed technique "wherein said generated fingerprint data includes 
timestamp data indicative of a time of compilation of said known computer program" (as 
amended). 



"Generally speaking, a recent trend is for manufacturers of 
antivirus applications to update their virus signature files 
VIRUS SIGNATURES. DA* as new viruses are discovered and as cures 
for these viruses are developed, and to make these updated 
signature files available to users on a periodic basis (e.g. 
monthly, quarterly, etc.). For example, an antivirus program 
manufacturer may post the update file VIRUS_SIGNATURES.DAT on a 
bulletin board system, on an FTP (File Transfer Protocol) site, 
or on a World Wide Web site for downloading by users." (Hodges, 
Col. 2, paragraph 6 - emphasis added) 

"These and other objects are achieved by a method and system for 
updating local client computers with antivirus software updates 
from a central antivirus server, the local client computers and 
the central antivirus server being coupled by a packet -switched 
network, wherein the antivirus software updates are transferred 
from the central antivirus server to a given local client 
computer using a push technology method. The central antivirus 
server comprises a first database containing information related 
to the latest antivirus software updates contained on each local 
client computer, and usee push technology to transmit updated 
antivirus files if the local client computer's antivirus files 
are out of date, '* (Hodges, Col. 4, paragraph 6 - emphasis added) 

Applicant respectfully asserts that the exceipts from Hodges relied upon by the 
Examiner merely teach that "manufacturers of antivirus applications . . . update their virus 
signature files VIRUS_SIGNATURES.DAT as new viruses are discovered and as cures 
for these viruses are developed." In addition, Hodges teaches using "push technology to 
transmit updated antivirus files if the local client computer's antivirus files are out of 
date/ 1 However, the disclosure of updating antivirus signature files simply fails to even 
suggest a technique "wherein said generated fingerprint data includes timestamp dflta 
indicative of a time of compilation of said known computer program" (emphasis added), 
as claimed by applicant. There simply is no mention in the excerpts from Hodges 
anything regarding the use of "time of compilation of said known computer program" in 
the generated fingerprint data, as claimed by applicant. 
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In the Office Action mailed 09/01/2006, the Examiner argues that "Hodges 
teaches that the time that the signature (fingerprint) data was compiled should be 
included with the signatures and as such this timestamp indicates the time of compilation 
of the viruses (known computer program) into the DAT files, which meets the limitation 
of the claim language." Applicant respectfully disagrees and asserts that the excerpts 
relied upon by the Examiner merely teach that "a recent trend is for manufacturers of 
antivirus applications to update their virus signature files 

VIRUS_SIGNATURES.DAT as new viruses are discovered and as cures for these 
viruses are developed, and to make these updated signature files available to users on 
a periodic basis" (emphasis added). However, the excerpts relied upon by the Examiner 
in no way suggest a technique "wherein said generated fingerprint data includes 
timestamp data indicative of a time of compilation of said known computer program " 
(emphasis added), as claimed by applicant. Clearly the mere disclosure that "the time 
that the signature (fingerprint) data was compiled should be included with the 
signatures," as noted by the Examiner, does not even suggest 'timestamp data indicative 
of a time of compilation of said known computer program " (emphasis added), as claimed 
by applicant. 

Again, applicant respectfully asserts that at least the third element of the prima 
facie case of obviousness has not been met, since the prior art references, when 
combined, fail to teach or suggest all of the claim limitations, as noted above. Thus, a 
notice of allowance or specific prior art showing of each of the foregoing claim elements, 
in combination with the remaining claimed features, is respectfully requested. 

Thus, all of the independent claims are deemed allowable. Moreover, the 
remaining dependent claims are further deemed allowable, in view of their dependence 
on such independent claims. 

In the event a telephone conversation would expedite the prosecution of this 
application, the Examiner may reach the undersigned at (408) 505-51 00. The 
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Commissioner is authorized to charge any additional fees or credit any overpayment to 
Deposit Account No. 50-1351 (Order No. NAI1P467/00. 177.01). 



P.O. Box 721120 

San Jose, CA 95172^1 120 

408-505-S100 



Respeo 
Zilka-] 




submitted, 
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ation No. 41,429 
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